SIM maker Gemalto denies damage amid NSA hacking fallout

Dutch-based chip maker Gemalto has acknowledged that American and British spy agencies tried hacking its systems years ago, but critics have slammed that response as denial and damage control.

In a statementWednesday, the multinational
corporation confirmed last week’s revelations of hacking by the
United States National Security Agency and Britain’s GCHQ in 2010
and 2011, claiming they “only breached its office networks and
could not have resulted in a massive theft of SIM encryption
keys” as reported.

Reporters who uncovered the hacking attempts have criticized
Gemalto’s statement, saying the company only learned about the
attacks last week when reached for comment, and that a proper
investigation in just five days was simply not possible.

The Intercept magazine, which published the original
investigation into the Gemalto hacks, quoted several security
experts who characterized the company’s statement as
“a lot of effort…to minimize and deny the impact of some old
attacks,” and more of a “damage assessment” than a
proper investigation.

“A true forensic investigation in such a complex environment
is not possible in this time frame,” Ronald Prins of the
Dutch firm Fox IT told The Intercept.

Last week, The Intercept published an investigation into the
hacks by Jeremy Scahill and Josh Begley, based on the revelations
by Edward Snowden, a former contractor for the NSA. Snowden’s
documents provided insight into how and why the surveillance
services targeted the Dutch-based multinational. Gemalto makes
some two billion SIM cards for 450 wireless providers around the
world, as well as chips for luxury cars and biometric US
passports. Its security technology is used by more than 3,000
financial institutions and 80 government organizations.

Gemalto’s statement claims no breaches were found in the secure
networks “running our SIM activity,” or “our other
products such as banking cards, ID cards or electronic
passports.”

We didn't know about the NSA hack when it occurred, but now
we're sure it failed. Alrighty then. http://t.co/g2XAVEz8xx

However, documents cited by The Intercept directly contradict
this: We “believe we have their entire network,” the
author of a secret GCHQ slide reportedly boasted.

The Intercept’s investigation reported that the hacks targeted
SIM cards belonging to mobile operators in “Afghanistan,
Yemen, India, Serbia, Iran, Iceland, Somalia, Pakistan and
Tajikistan.” Gemalto acknowledged this, but claimed these
cards were using the obsolete, 2G technology, and that current
users in the West – who rely on 3G, 4G and LTE technology – were
“not affected.”

Targeting the manufacturer of SIM cards, used in most mobile
devices around the world, would give the US and UK intelligence
agencies the ability to collect mobile communications without
government warrants or the permission of service providers.

Gemalto CEO to western intelligence agencies: go ahead and hack
us, we won't sue you, even with damning evidence.

Theft of the SIM keys “enables the bulk, low-risk
surveillance of encrypted communications,” Christopher
Soghoian, principal technologist for the American Civil Liberties
Union, told The Intercept. Gemalto and its employees were
targeted by spies “not because they did anything wrong, but
because they could be used as a means to an end,” he added.

According to The Intercept, fixing the security flaws in the
current mobile phone system that intelligence agencies
“regularly exploit” would take “billions of dollars,
significant political pressure, and several years.” Jeremy
Scahill, one of the authors of the original article, was
disappointed by Gemalto’s denials as much as the media's
willingness to take them at face value.

Eric King, deputy director of the London-based advocacy group
Privacy International, called trust in the security of
communications systems “essential for our society and for
businesses to operate with confidence” in a statement on
Wednesday, adding that “The impact of these latest
revelations will have ripples all over the world.”

Most of the reporting today on Gemalto's so-called
"investigation" (6 days!) is credulous and lazy. It's really
pathetic.

China appears to have taken notice already. Citing security
concerns over Western hardware, the government in Beijing has
dropped a number of Western companies from its approved state
purchase lists. Cisco, Apple, Citrix, and Intel’s McAfee security
software are among the affected.

However, unnamed technology executives told Reuters that security
concerns were only a pretext, and that the “real objective
was to nurture China's domestic tech industry and subsequently
support its expansion overseas.”